Solved

Hacked - need info

Posted on 2002-05-13
6
169 Views
Last Modified: 2010-04-13
below is a snippet of my logs.  i believe somebody is trying to hack into my server.  i'm not sure if it succeeded or not.

my server is deny them access to the files requested by reporting error 404.  what is error 500?

what about the default.ida?  what is an ida file?

thanks.

~~~~~~

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2002-05-09 06:11:49
#Fields: time c-ip cs-method cs-uri-stem sc-status
06:13:41 202.98.62.200 GET /scripts/root.exe 404
06:13:42 202.98.62.200 GET /MSADC/root.exe 404
06:13:44 202.98.62.200 GET /c/winnt/system32/cmd.exe 404
06:13:44 202.98.62.200 GET /d/winnt/system32/cmd.exe 404
06:13:46 202.98.62.200 GET /scripts/..%5c../winnt/system32/cmd.exe 404
06:13:46 202.98.62.200 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
06:13:47 202.98.62.200 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
06:13:47 202.98.62.200 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 500
06:13:48 202.98.62.200 GET /scripts/..Á../winnt/system32/cmd.exe 404
06:13:48 202.98.62.200 GET /scripts/winnt/system32/cmd.exe 404
06:13:49 202.98.62.200 GET /winnt/system32/cmd.exe 404
06:13:49 202.98.62.200 GET /winnt/system32/cmd.exe 404
06:13:51 202.98.62.200 GET /scripts/..%5c../winnt/system32/cmd.exe 404
06:13:51 202.98.62.200 GET /scripts/..%5c../winnt/system32/cmd.exe 404
06:13:52 202.98.62.200 GET /scripts/..%5c../winnt/system32/cmd.exe 404
06:13:52 202.98.62.200 GET /scripts/..%2f../winnt/system32/cmd.exe 404
08:23:22 202.111.154.51 GET /default.ida 200
0
Comment
Question by:jchew
  • 3
  • 2
6 Comments
 

Author Comment

by:jchew
ID: 7005994
btw, just fyi, i'm using Windows 2000 professional with IIS. i constantly check for updates at the ms update site and have applied all the latest SPs
0
 
LVL 32

Accepted Solution

by:
jhance earned 50 total points
ID: 7006037
This is the NIMDA probing your system.  But you're mostly OK.  If the response is 4XX or 500, it's a FAILURE and nothing happened.

But you have the default.ida in place:

>>>08:23:22 202.111.154.51 GET /default.ida 200

FIX THIS NOW.  You don't need this file anyway, just DELETE it.

Be sure you are up to date on all Microsoft HotFixes for your version of Windows.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7006498
I agree with jhance.  The fact that your server returned 200 for default.ida is a BAD thing.  This just looks like a probe, if the log entry had looked like this:

08:23:22 202.111.154.51 GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 200


Then you might have a serious problem.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:jchew
ID: 7007520
i tried the following

http://my.server/default.ida

and got the following reply

The IDQ file default.ida could not be found.

does this mean i'm safe?  i have updated my win2k with all the ms critical updates.

btw, can you please tell me what is an ida file?

thanks.
0
 
LVL 32

Expert Comment

by:jhance
ID: 7007566
It's a sample file that is included with IIS.  It is NOT needed for normal IIS web site operations and it is a known security risk.  Delete the file and be safe.
0
 

Author Comment

by:jchew
ID: 7007602
thanks for the info...
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
When you’re making plans to join the modern business race, you should analyze various details that may affect your results. Nowadays, millions of businesses are trying to grow into established and appreciated professional enterprises.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question